On August 13, the WeChat public account "Tencent Yushen Threat Intelligence Center" issued a document saying that German Wiper was sent via spam containing false job applications, and the ZIP attachment of spam contained malicious LNK files. Once downloaded to the device, the malware overwrites the contents of the local file so that it cannot be recovered. After that, the virus changes the file extension to a string of five random alphanumeric characters. Once the contents of the file have been rewritten, the ransom message written in German is opened with the browser of the infected device, requesting a $1,500 worth of bitcoin for the decryption key. However, even if a ransom is paid, the overwritten file will not be recovered and the file will be permanently overwritten.